The Embed Policy provides a "standalone" policy that does not need to talk to the PGP Encryption Server (Symantec Encryption Server) while managing policy that cannot be modified. This article will provide information on how this works.
Symantec Encryption Desktop Managed Installs with the Embed policy option
With the Preset Policy Group option, it is possible to select to embed policy and license information into the installer to force the clients to be disconnected from the PGP Encryption Server. If this is done, there is no connection between the client and the PGP Encryption Server.
The client never receives any updated policy information from the PGP Encryption Server, even if the policy is updated on the server side Policy information normally downloaded during installation is instead embedded in the installer itself.
The Organization Key and ADK, however are not included in embedded policies. This option is useful for PGP Drive Encryption-only deployments, which cannot connect again to the PGP Encryption Management Server. If you need Drive Encryption and Recovery Tokens "Offline" , Symantec Endpoint Encryption (SEE) has this functionality.
If a Symantec Drive Encryption deployment never connects to the PGP Encryption Server, Whole Disk Recovery Tokens, along with other policy features may not be used.
Tip: If you have clients that need to be encrypted with Drive Encryption and will never communicate with the PGP server, we recommend using "Symantec Endpoint Encryption (SEE)" (as no recovery tokens will be available in this mode), which can encrypt a system and uses "Connectionless" recovery. In Connectionless Recovery, the SEE client can encrypt the hard drive, and even if it never communicates with the Encryption Server, a recovery key can be provided to unlock the machine. Symantec Endpoint Encryption is "machine based", whereas PGP is "User Based". If you own a license for PGP Drive Encryption, you are entitled to use the SEE Drive Encryption. Reach out to Symantec Enterprise Support for further assistance on this. For a Product comparison of SEE VS PGP, see the following article: 151074 - Symantec Endpoint Encryption and PGP Encryption Solutions Comparison
NOTE: This option is not recommended for other PGP Encryption Desktop deployments and caution should be exercised when considering this option as many product features do not work in this mode. Instead, consider enrolling a Drive Encryption-Only client at least one time so a recovery token is available. If the client never communicates with the server again, the client will continue to function as long as the license number being used never expires.
Special consideration should be given when using the Embed Policy option as some functionality is not available when using this feature as listed below:
Note: The Embed Policy option is for Windows only. This feature is not intended to be used for Linux or Mac OSX. The Embed option is grayed out when attempting to download from the PGP Universal Server for Linux or Mac operating systems. A feature request has been logged for this functionality and can be viewed in article 157084. |
Creating a Managed PGP Drive Encryption Installation with Embedded Policy
Changing Symantec Encryption Desktop configured client Policies
Note: If there is a requirement to install a new Symantec Encryption Desktop configured client with the Embed option, or a Standard configured client that must contact a Symantec Encryption Management Server, be sure to delete the PGP preferences (both Embedded and Standard preference files) that are left behind as these files will interfere with the new installation and will use old settings. |
PGP Preference files for Windows 7\8\10\11:
Embedded Preference file: C:\ProgramData\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Users\User Account\AppData\Roaming\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml
Delete the PGP preference files after PGP has been uninstalled as these files are re-created once PGP has been run again, so make sure they are removed after the uninstall has completed.
Errors caused by the Embed policy option
If the Embed policy option has been used during the creation of a Standard configured PGP Desktop installation that must contact a PGP Encryption Server, the enrollment process will not work properly and the error "Unable to connect to configuration server" can occur.
If using a Standard configured PGP Desktop installation and sending Whole Disk Recovery Tokens to the PGP Encryption Server is enforced, the error "The administrative server is not available for storing the Whole Disk Recovery Token" will be displayed:
In addition to the errors displayed above, enrolling with LDAP will also be problematic. The Embedded preference policy was not designed to connect to any PGP Encryption Server. Because this connection cannot be established with the PGP Encryption Server, an email address prompt will be displayed instead of LDAP credentials during LDAP enrollment. Enrollment will fail at this point and will display one or more of the errors displayed above.
The solution to the above errors when using a Standard PGP Desktop configured install that must contact a PGP Encryption Server is to uninstall the PGP Desktop software, delete the above mentioned preference files (pgpprefs.xml and PGPadmin.xml) and create a new configured installation without the Embed policy option. To obtain a completely fresh installation, simply delete the PGP Corporation folders located in Application Data (AppData for Windows Vista).
If the intention was to use a configured policy with the Embed option and the PGP Whole Disk client is unable to contact the PGP Encryption Server, most likely a valid hostname for the PGP Encryption Server was used. This should be changed to an invalid hostname so the PGP Whole Disk client does not attempt to contact the PGP Encryption Server. Also, a Mail Server Binding may have been entered. In both cases, a new PGP Desktop configured install should be created with the Embed option.
For information on how to convert an Embed Policy client into the standard managed client which communicates with PGP Encryption Management Server without the need of uninstalling the software, reach out to Symantec Encryption Support for further guidance.